02-01-2010 08:33 PM
I am trying to configure a Cisco 871W router to terminate connections from a Cisco VPN client.
I can successfully connect to the VPN Router using the Cisco VPN client version 4.8.02.10.
However ....I can't access ANY resources on the network.
I tried ping, traceroute and remote desktop... nothing
Have I messed up some ACL or is this a routing issue?
Is it a NAT issue?
Here is my config.......
Thanks in advance....
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint T*********
enrollment selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid office
vlan 1
authentication open
authentication key-management wpa
guest-mode mbssid guest-mode
wpa-psk ascii 7 *********
dot11 ssid office guest-mode
authentication open
wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.2.3.4
domain-name dr.off
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server 1.2.3.4
!
!
!
!
username batman privilege 15 password 7 *********
username robin privilege 15 password 7*********
username joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
key *********
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 *********
no modem enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler max-task-time 5000
end
02-02-2010 04:18 PM
HI Tan,
Just replace the line
ip nat inside source list 1 interface FastEthernet4 overload
with
ip nat inside route-map nonat interface FastEthernet4 overload
02-02-2010 10:28 PM
I tried that command and received an error message
then I entered this command
ip nat inside source route-map nonat interface FastEthernet4 overload
there was no error but I can't access any resources on the LAN.
I can't even ping my default gateway. 192.168.25.2
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . xxxxxxxxxxx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.25.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.25.2
I can however ping the Public Internet address that I receive by DHCP from my ISP.
Can it be an ACL blocking all the traffic?
02-05-2010 08:29 AM
Ok
Got this to work.
I am replying in the thread so hopefully it will help someone else in the future.
Thanks to everyone that contributed.
After pudawat replied to add the parameter
ip nat inside route-map nonat interface FastEthernet4 overload
I found that I needed to add "source"
ip nat inside source route-map nonat interface FastEthernet4 overload
Then I enabled the logging on the VPN client and found
“AddRoute failed to add a route. code 87"
I then found the following:
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24164731.html
I upgraded my VPN client to 5.0.06.0160
Connected immediately.
Thanks again to all....
here is the final working config:
------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint T*********
enrollment selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid office
vlan 1
authentication open
authentication key-management wpa
guest-mode mbssid guest-mode
wpa-psk ascii 7 *********
dot11 ssid office guest-mode
authentication open
wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.2.3.4
domain-name dr.off
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server 1.2.3.4
!
!
!
!
username batman privilege 15 password 7 *********
username robin privilege 15 password 7*********
username joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
key *********
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 *********
no modem enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler max-task-time 5000
end
02-05-2010 09:46 AM
HI Tan,
I missed the command to add "source" in it.
The essence is to NAT-EXEMPT the traffic from the LAN network to the VPN local pool
Cheers!
Thanks,
Pradhuman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: